I know this is slightly old news, but I still wanted to talk briefly about it. Near the beginning of March, GitHub users received this message via email.

A security vulnerability was recently discovered that made it possible for an attacker to add new SSH keys to arbitrary GitHub user accounts. This would have provided an attacker with clone/pull access to repositories with read permissions, and clone/pull/push access to repositories with write permissions. As of 5:53 PM UTC on Sunday, March 4th the vulnerability no longer exists.

While no known malicious activity has been reported, we are taking additional precautions by forcing an audit of all existing SSH keys.

. . .

Until you have approved your SSH keys, you will be unable to clone/pull/push your repositories over SSH.

. . .

Sincerely, The GitHub Team

The following is a rough sequence of events that led up to the official notification of the users. All times are in PST.

GitHub sends out an email informing all users that their public keys have been frozen and will be unusable until manually approved. [source: email]

This is a classic case of hacker discloses vulnerability by exploiting vulnerability. Opinions often vary as to whether or not this is an appropriate method of disclosure. The intentions of the responsible parties have to be called into question, as well as the level of severity of the exploit. In this case, many argued that Homakov tried to report the issue but was brushed off, leaving him with no other way to call attention to the vulnerability. Others argued that he was trying to inform the wrong people, or that he simply should have refrained from exploiting the security hole himself. In any event, the damage (if it can be called damage) was extremely minimal considering what could have been produced by a malicious attack.

As stated in GitHub’s blog post, the final verdict was “no malicious intent”, and Homakov ultimately had his account restored. After reading through loads of comments, the general attitude of GitHubbers seems to be one of praise rather than condemnation, but it’s certainly an arguable issue in the way of ethics.

When, if ever, is it okay for hackers to act on a vulnerability in order to demonstrate flaws?